DPI-SSL > Client SSL

Topics:
Configuring Client DPI-SSL

Configuring Client DPI-SSL

* 
NOTE: For information about DPI SSL, see DPI-SSL Overview .

The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. In the Client DPI-SSL scenario, the firewall typically does not own the certificates and private keys for the content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the firewall certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

Topics:
Configuring General Settings
Selecting the Re-Signing Certificate Authority
Configuring Exclusions and Inclusions
Client DPI-SSL Examples

Configuring General Settings

To enable Client DPI-SSL inspection, perform the following steps:
1
Go to the General Settings section of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Client Inspection checkbox. By default, this checkbox is not enabled.
3
Select one or more of the following services with which to perform inspection:
Intrusion Prevention
Gateway Anti-Virus
Gateway Anti-Spyware
Application Firewall
Content Filter
4
Click Accept.

Selecting the Re-Signing Certificate Authority

The re-signing certificate replaces the original certificate signing authority only if that authority certificate is trusted by the firewall. If the authority is not trusted, then the certificate is self-signed. To avoid certificate errors, choose a certificate that is trusted by devices protected by DPI-SSL.

* 
NOTE: For information about requesting/creating a DPI SSL Certificate Authority (CA) certificate, see the Knowledge Base article, How to request/create DPI-SSL Certificate Authority (CA) certificates for the purpose of DPI-SSL certificate resigning (SW14090) in the Dell Support Site.
Selecting a re-signing certificate
1
Navigate to the DPI-SSL > Client SSL page.
2
Go to the Certificate re-signing Authority section.

3
Select the certificate to use from the Certificate drop-down menu. By default, DPI-SSL uses the Default SonicWALL DPI-SSL CA certificate to re-sign traffic that has been inspected.
* 
NOTE: If the certificate you want is not listed, you can import it from the System > Certificates page. See Importing Certificates . For PKCS-12-formatted certificates, see Creating PKCS-12 Formatted Certificate File .
4
To download the selected certificate to the firewall, click the (download) link. The Opening filename dialog appears.
* 
TIP: To view available certificates, click on the (Manage Certificate) link to display the System > Certificates page

a
Ensure the Save File radio button is selected.
b
Click OK.

The file is downloaded.

5
Click Accept.
Adding Trust to the Browser

For a re-signing certificate authority to successfully re-sign certificates, browsers have to trust the certificate authority. Such trust can be established by having the re-signing certificate imported into the browser's trusted CA list. Follow your browser’s instructions for importing re-signing certificates.

Configuring Exclusions and Inclusions

By default, when DPI-SSL is enabled, it applies to all traffic on the appliance. You can customize to which traffic DPI-SSL inspection applies:
Exclusion/Inclusion lists exclude/include specified objects and groups
Common Name Exclusions excludes specified host names

In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

Topics:
Excluding/Including Objects/Groups
Excluding/Including by Common Name
Excluding/Including Objects/Groups
To customize DPI-SSL client inspection:
1
Navigate to the Inclusion/Exclusion section of the DPI-SSL > Client SSL page.

2
From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
* 
TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-office-Oakland address object in the Include drop-down menu.
3
From the Service Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
4
From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
5
Click Accept.
Excluding/Including by Common Name

You can add domain names to the exclusion list.

Topics:
Excluding/Including Common Names
Deleting Custom Common Names
Excluding/Including Common Names
To exclude/include entities by common name:
1
Click on the Common Name tab.

2
Enter a domain name in the Suffix field.
3
Click Add. The name is added to the Exclusions list.
4
Click Accept at the top of the page to confirm the configuration.
Deleting Custom Common Names
To delete custom common names:
1
Do one of the following:
Selecting the name in the Exclusions and then clicking the Remove button.
Clicking the Remove All checkbox to delete all custom common names.
2
Click Accept.
Showing Connection Failures

SonicOS keeps a list of all client SSL connection failures. You can use this list to add custom common exclusions names.

To see the connection failure list:
1
Click the Show Connection Failures button. The Connection Failure List dialog displays.

 

Each entry in this lists displays the:
Client Address
Server Address
Common Name
Error Message
2
To add an entry to the exclusion list, select the entry and click the Exclude button.
3
To delete an entry, select it and click the Clear button.
4
To delete all entries, click the Clear All button.
5
When you have finished, click the Close button.

Client DPI-SSL Examples

Topics:
Content Filtering
App Rules
Content Filtering
To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL:
1
Navigate to General Settings section of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Inspection checkbox.
3
Select the Content Filter checkbox.
4
Click Apply.
5
Navigate to the Content Filter Type section of the Security Services > Content Filter page.

6
Ensure Content Filter Service is selected from the drop-down menu.
7
Click the Configure button. The Filter Properties dialog displays.

8
Clear the Enable HTTPS Content Filtering checkbox.
* 
NOTE: HTTPS content filtering is IP and hostname based. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS-filtered pages are silently blocked.
9
Select the appropriate categories to be blocked. For information about configuring this dialog, see Configuring Content Filtering Service .
10
Click OK.
11
Click Accept.
12
Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked.
* 
NOTE: For content filtering over DPI-SSL, the first time HTTPS access is blocked results in a blank page being displayed. If the page is refreshed, the user sees the firewall block page.
App Rules

To filter by application firewall rules, you need to enable them on both the DPI-SSL > Client SSL page and the App Rules > Policies page.

1
Navigate to General Settings section of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Client Inspection checkbox.
3
Select the Application Firewall checkbox.
4
Click Apply.
5
Navigate to App Rules Global Settings section of the Firewall > App Rules page.

6
Select the Enable App Rules.
7
Configure an HTTP Client policy to block Microsoft Internet Explorer browser with block page as an action for the policy. For how to configure an App Rule, see Configuring an App Rules Policy .
8
Click Apply.
9
Access any website using the HTTPS protocol with Internet Explorer to verify it is blocked.

DPI-SSL also supports Application Level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.